The last two steps on the access-control to do list are to specify and bid, then test the new system.
5. Spec and Bid the Right Way
The next-to-last step is to actually procure the system. This step can be as simple as signing a contract and issuing a purchase order. But that's the wrong way to do it. The right way is to identify the specifications needed for any system that can do the job.
Never write a specification document based on what a sales person said and never write it from the specifications outlined in the specific product you may be looking at or that a sales person said was the best on the market. Instead, develop a list, as extensive as you wish, but one that takes in all of your existing methods of operation, i.e., your networking platforms, existing applications that you plan to integrate, how you want it to perform, and the kind of card (not a specific name brand) that has the method of operation you intend to use.
An example would be that you need a contactless card that has a bar code for store purchases, magnetic stripes for other business operations, and the capability to contain logos, pictures, and other identifiers within the card surface. If you plan to store more information and to embed working applications on the card, then a smart card with a computer chip inside needs to be identified.
Once your list is created — and hopefully the IT department was an integral player in its development — the next step is developing a bid document to send to qualified vendors. Depending on your individual situation regarding procurement laws or processes, you may need to set up a method to answer questions as they arise during the process. Many facilities are governed by agency requirements that mandate a certain number of vendor bids, and, once the request for proposals is "put on the street," the office handling the bid may prohibit the end user from answering questions from the vendors, who may communicate only with the bid office. This prevents any of the bidders from filing a grievance on perception of favoritism.
Once the bids are in, a checklist of the requirements is generated, and each of the vendor responses is reviewed to determine whether it complies with the specific items. This process ensures that what you want to have done can actually be accomplished with that particular product. The more in-depth the questions, the more confident you will be later once the product is paid for.
As an example, if you ask whether a particular access control software is compatible with using a MiFare type card, the answer may be "yes, but..." A better question would be whether the software is compatible with a MiFare card without having to generate new software language or scripts for it to work. Software compatibility is one place where costs can be hidden. If the software isn't as compatible as you expected, you end up with either cost overruns or, in some cases, work-arounds that end up affecting the other integrated applications. This is a dangerous road to go down; those changes continually come back to haunt you because you don't have confidence in how to fix problems that arise.
6. Test the System Carefully
Once the system is procured, it's easy to think that life is good. But in reality, this is where things can go wrong if you're not careful or don't have checks and balances in place. The first item to install is the head end or server that will control the access control system. All software and any other component items should be installed and tested prior to replacing any old card readers with new ones. When dealing with multiple buildings, select a "test bed" where any issues or bugs can be worked out as they occur. Enough time for testing is needed to ensure that the access control system works as intended. But if the project involves integrating other systems, those systems need to be kept running regardless of the new access control. Bringing on those systems one by one can help to avoid major problems and it allows existing functionality to be used to maintain operations.
Robert F. Lang, CPP, CEM, is chief security officer at Kennesaw State University. Previously, he held the positions of director of homeland security and director of research security at Georgia Tech, where he was the head security planner for the Olympic Village on Georgia Tech's campus at the 1996 Olympic Games. He can be reached at email@example.com.
Access Control Systems: Six Key Planning Steps
How To Select The Right Type Of Access Control Card
When Planning Access Control System, It’s Crucial To Get IT Involved
How To Specify, Bid, And Test The New Access Control System
Product Showcase: Access Controls